Using single-factor authentication in order to protect from cyber attacks is not enough in today’s hyperconnected world.
And the consequences of relying on inferior security measures can be grave. Take the Colonial Pipeline ransomware attack in the US in May 2021, which caused huge business damage. Using a single password, cyber attackers were able to infiltrate the organisation’s data and encrypted IT systems. The password was part of a batch of leaked passwords found on the dark web and it allowed access to the virtual private network (VPN) which provided attackers with a remote connection to the company’s server and all the data stored there.
So how can companies protect their network and make sure that cyber criminals can’t access critical data, even with a leaked password?
The problem with passwords
The conventional way to authenticate users is via a password or a code, but it’s becoming more and more obvious that solely relying on passwords is not enough to fully protect accounts. Cyber criminals are exploiting weak, stolen, or compromised credentials to take on the identity of certain individuals, hunting for privileged accounts and credentials that can help gain them access to an organisation’s most critical infrastructure and sensitive data.
Keeping track of passwords can be challenging and risky, in fact over 40% of enterprise IT security teams use written notes and the human memory to protect and manage passwords. It’s hardly a modern or high-tech solution. So, it’s no surprise then that there are millions of leaked passwords floating around on the dark web, and relying only on passwords for user authentication is poor practice.
Multi-factor authentication (MFA) means using an extra method of identification in addition to a username and password when logging into an account. This enhanced method of security ensures that the person requesting access is actually the right person by requiring additional verification information called ‘factors’.
Some of the factors used in MFA are:
- The ownership factor: Something the user has – some physical object in the possession of the user, such as a security key or a security token.
- The knowledge factor: Something the user knows such as an extra password, PIN or a secret.
- The biometric factor: Something the user is – a physical characteristic of the user (biometrics), such as a fingerprint, retina scan or typing speed.
By using more than two categories of factors to validate the identity of the user, MFA provides a higher level of safety than passwords alone.
Why multi-factor authentication is so crucial
The Colonial Pipeline ransomware attack would have most likely been avoided if the stolen account details had been protected via MFA. Even if attackers had the usual account credentials, they would not have had the second ‘factor’ they needed, and this virtual barrier would have stopped them in their tracks.
It’s widely accepted that MFA is the best and simplest solution when it comes to securing access to sensitive data – it not only protects against credential theft, but it’s also effective against weak passwords. Unfortunately, many users still use passwords such as “123456”, “password”, “qwerty” or other personal information which is easy to obtain, like their date of birth. Attackers can find or hack weak passwords, however it is much harder for them to use another form of verification, such as a fingerprint, without being discovered. What’s more, to comply with PCI Data Security Standards, GDPR, and other industry regulations, organisations must ensure they are implementing strong authentication methods. It wouldn’t be possible to adopt popular emerging paradigms such as Zero Trust and SASE without MFA.
Could the future be password free?
Organisations are beginning to realise that passwords deliver poor security, negatively impact user experience and increase support costs. They can also see that cyber attackers are relying on this weakness to compromise accounts. Thanks to advances in security technology there is now a solution; the ‘passwordless’ authentication method, where a user can login without entering a password or any other knowledge-based secret. Instead, users are asked to authenticate by only providing an ownership factor or a biometric factor. End users no longer need to create, store or remember passwords which can save them stress and hassle, and at the same time the overall security risk is reduced.
Why BT and Cisco?
With a shared track record as leaders in innovation and technology, BT and Cisco’s 30-year partnership positions us perfectly to help companies improve their security. The Cisco Duo solution secures access to critical applications and data with a frictionless user experience and easy deployment in any environment. It also offers two‑factor authentication, endpoint remediation and secure single sign‑on tools. Among the authentication factors Cisco Duo offers are the Duo Push, phone calls, Duo mobile pass code, hardware token, SMS password, Yubikey passcode and more. Businesses can choose from those authentication methods based on their specific needs. Working with BT and Cisco, you can expect a single, uniform business entity, and a local presence with global reach, even for complex projects.
If you’d like to discuss multi-factor authentication and how to best secure your data, please get in touch with your account manager.
 Ponemon 2020 ‘The state of password and authentication security behaviours’.